Surveillance Spyware Originally Found On iOS Now Targeting Android

In 2016, security firms Lookout and Citizen Lab identified a dangerous new type of malware, dubbed Pegasus, that surfaced in the iOS ecosystem. The software was developed and sold by the NSO Group, a licensed cyber-arms dealer operating out of Israel. Highly advanced, it was primarily sold to governments, including a number of oppressive regimes, which used the software to track down dissidents in those countries.

The software was incredibly capable and extremely effective, allowing the hackers controlling it to gain almost total control over a victim’s phone. Using it, they could, among other things:

• Collect SMS settings and messages • Monitor call logs, calendars and browser histories • Comb through emails • Monitor messages from most popular messaging apps like Facebook, Twitter, Viber, Skype, and WhatsApp • Coopt the phone’s alarm system to schedule various malicious activities • Activate both the front and rear cameras remotely to spy on the phone’s owner • Take screen shots • Answer the phone and listen in on conversations • Log all keystrokes • Auto-delete itself if discovered, or at the command of the hackers

The two security firms knew from the start, based on sales literature from the NSO Group, that an Android version also existed. But to date, they had been unable to find evidence of it in the wild. That changed recently, with the discovery of Chrysaor, the Android variant of Pegasus, that is even more advanced and full-featured.

A joint effort by Lookout and Google tracked the software to some two dozen phones in Georgia, the Ukraine and Turkey, and Google was able to remotely disable the software, but it is unknown how many more infected users might be out there. Chrysaor is extremely adept at hiding itself and virtually impossible to track down.

BGR reports that Lookout says “Pegasus for Android does not require zero-day vulnerabilities to root the target device and install the malware. Instead, the threat uses an otherwise well-known rooting technique called Framaroot. In the case of Pegasus for iOS, if the zero-day attack execution failed to jailbreak the device, the attack sequence failed overall. In the Android version, however, the attackers built in functionality that would allow Pegasus for Android to still ask for permissions that would then allow it to access and exfiltrate data. The failsafe jumps into action if the initial attempt to root the device fails.This means Pegasus for Android is easier to deploy on devices and has the ability to move laterally if the first attempt to hijack the device fails.”

For now, the software seems to be employed primarily by governments. It has never been found in the hands of independent hacking groups, which means you’re almost certain never to run across it. If that changes, however, it would represent a grave, large-scale threat to global digital security.